gozi_ifsb | 266d88e6796be43f470e11e7da3fb0f63127dc747513d297c50d75148b353602

General

Target

docs,06.21.doc
Size

50KB
MD5

a75fa282ba05937f43c4425e548f1d5c
SHA1

565ca43482c76d02eb4f5e55deb2af53dfa3b8db
SHA256

266d88e6796be43f470e11e7da3fb0f63127dc747513d297c50d75148b353602
SHA512

6343c053c5cca9f6e4b9e4b157c19aba9c47cc1722e4b8a158009cce7c7a8cb88dc3cbb95581888c76fd708c1d8c212dca1a5dc9a393594957fb7f6602c119f5

Score

10^/10

gozi_ifsb 6000 banker trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

6000

C2

gtr.antoinfer.com

app.bighomegl.at

Attributes

build
250204
exe_type
loader
server_id
580

rsa_pubkey.base64

serpent.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1232	792	cmd.exe	WINWORD.EXE

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

6 1300 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

1780 regsvr32.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
6	1300	mshta.exe

pid	process
1780	regsvr32.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

792 WINWORD.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

WINWORD.EXE

pid	process
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE
792	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

WINWORD.EXEcmd.exemshta.exe

description	pid	process	target process
PID 792 wrote to memory of 1232	792	WINWORD.EXE	cmd.exe
PID 792 wrote to memory of 1232	792	WINWORD.EXE	cmd.exe
PID 792 wrote to memory of 1232	792	WINWORD.EXE	cmd.exe
PID 792 wrote to memory of 1232	792	WINWORD.EXE	cmd.exe
PID 1232 wrote to memory of 1300	1232	cmd.exe	mshta.exe
PID 1232 wrote to memory of 1300	1232	cmd.exe	mshta.exe
PID 1232 wrote to memory of 1300	1232	cmd.exe	mshta.exe
PID 1232 wrote to memory of 1300	1232	cmd.exe	mshta.exe
PID 792 wrote to memory of 1188	792	WINWORD.EXE	splwow64.exe
PID 792 wrote to memory of 1188	792	WINWORD.EXE	splwow64.exe
PID 792 wrote to memory of 1188	792	WINWORD.EXE	splwow64.exe
PID 792 wrote to memory of 1188	792	WINWORD.EXE	splwow64.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe
PID 1300 wrote to memory of 1780	1300	mshta.exe	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\docs,06.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\\users\\public\\buttListboxSngl.hta
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\buttListboxSngl.hta"
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\buttListboxSngl.jpg
4⤵
- Loads dropped DLL
PID:1780

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\users\public\buttListboxSngl.hta
MD5
aa68b2d92b79feae09dcb76d34ac9fb7

SHA1
8ead6aa56c4426d4fe5f7d415d927379a116c03d

SHA256
7a8ba83948952fb9fdc6237adf609e8e3f1caf2dbce6ca6e6b5ae4aca0d04a20

SHA512
a09cf9694aee32013a3ee6718d30168f6ee2fb407a7396fece6388009de9608391725d4e590f1f659fcfcd7830cb644310cae4463127772fa5d00ed8f7fbc793

Download Submit
\??\c:\users\public\buttListboxSngl.jpg
MD5
f898faedc2fd455398a9efdebf1ce335

SHA1
781b649cff1e06c3ce2a8c64eccbe47bd8f126fa

SHA256
cc43bb886726bc8101659ba26f0eeda8f540dc81eb8ef7e8366b2c04e5b3a495

SHA512
6d19028134ccc5e40cecc40009cd33cdedcc7a2c6d3feb33e089a6197176fb7022e38b8d04296ecfc89c7270f2b13ead8bb226196d59ea6abe63bb78583f28b4

Download Submit
\Users\Public\buttListboxSngl.jpg
MD5
f898faedc2fd455398a9efdebf1ce335

SHA1
781b649cff1e06c3ce2a8c64eccbe47bd8f126fa

SHA256
cc43bb886726bc8101659ba26f0eeda8f540dc81eb8ef7e8366b2c04e5b3a495

SHA512
6d19028134ccc5e40cecc40009cd33cdedcc7a2c6d3feb33e089a6197176fb7022e38b8d04296ecfc89c7270f2b13ead8bb226196d59ea6abe63bb78583f28b4

Download Submit
memory/792-61-0x000000006FAF1000-0x000000006FAF3000-memory.dmp

Filesize
8KB

Download
memory/792-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/792-75-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/792-60-0x0000000072071000-0x0000000072074000-memory.dmp

Filesize
12KB

Download
memory/1188-67-0x0000000000000000-mapping.dmp

Download
memory/1188-68-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1232-64-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1232-63-0x0000000000000000-mapping.dmp

Download
memory/1300-66-0x0000000000000000-mapping.dmp

Download
memory/1780-69-0x0000000000000000-mapping.dmp

Download
memory/1780-73-0x000000006A910000-0x000000006A91D000-memory.dmp

Filesize
52KB

Download
memory/1780-74-0x000000006A910000-0x000000006AA40000-memory.dmp

Filesize
1.2MB

Download
memory/1780-76-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads